Division of responsibility
Systems using cloud services require security responsibilities be divided and shared by the client-owner of the end system and the provider-owner of the cloud infrastructure. This division depends on the cloud service model: IaaS (Infrastructure as a Service) or PaaS (Platform as a Service).
It can be visualized in a table, where:
|Data access management|
|OS and app security|
|Network security (Overlay)|
|Data storage and hardware security|
|Network security (Underlay)|
|Physical security and disaster recovery|
If the customer uses their own infrastructure, the customer is solely responsible for ensuring security at every level.
When using IaaS cloud services, the provider is responsible for the physical security and fault tolerance of the platform itself, network security, and the collection and analysis of security events from hypervisors and other infrastructure components. The client is responsible for the security of guest VMs.
IT departments of companies that use cloud services should back up VMs, protect the virtual network, ensure the security of guest OS, control access, and secure cloud user accounts.
When using managed services (PaaS/SaaS), the end user has even less to worry about, since the provider initially provides protection for higher-level infrastructure layers. This includes VM protection and DB backups.
In all these situations, only the client is responsible controlling access and managing permissions.